Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Worf Maugg writes with this excerpt from Wired:
"Researchers at U.C. Berkeley have discovered that some of the net's most popular sites are using a tracking service that can't be evaded — even when users block cookies, turn off storage in Flash, or use browsers' 'incognito' functions. The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics."

The data collected can be used to track the user over several sites, as the "cram cookies" are persistent through browsing sessions. The only way to remove them is to clear all browser cache data on close and restart the browser. Sounds like privacy invasion to me - although ISPs forced to log user activity [slashdot.org] is far more damning than these transgressions.

And even more importantly, how does this qualify as "tracking?" I don't see anything in the description of this thing that suggests it looks at what other sites you go to (aside from how you got to theirs, which is hardly an issue) or what you do on them.

This sounds to me like just a way for devs to examine how their site is used so they can make it more efficient and useful. Calling it "tracking" is practically a smear unless the summary is wholl

Kissmetrics has a single identifier that is used and tracked across all sites that use it for an identifiable visitor. It would be stupidly easy to aggregate this data and get a complete profile of a person, esp. considering the sites using it - what shows they watch, when they watch them, what music they listen to and when, combined with geolocation data, where they do these things, and for sites with subscriptions, they will have credit card information and home location and contact information. The researchers have no way of knowing if such information is sold between sites, but if there was no "tracking" application to it, why is the identifier not unique between sites?

Have you RTFA? The image is quite informative: they put an user id both in a JS file and on that file's ETag. So when the user goes to a different site that also uses KISSmetrics, it'll ask for the same JS file and send the ETag/userid (in the 'If-None-Match' header).

I feel a plugin coming on that will randomise the ID reported this way. Or submits misleading results from sites that are not using the service. Or even shares IDs between users so the tracked information becomes one large blob that doesn't identify the actions of any one person/group...

The cache is already tied to the URL, but many sites link to centralized "tracking" services with their own domain.

The only way would be to tied the cache to the "parent" domain too, but that would break some advantages of centralized CDNs (if everyone uses JQuery from e.g.Google's CDN, the client doesn't have to redownload it every time).

The real solution I see is not allowing servers to choose their own ETag, and instead use an hash of the content. That way, you still know if the content has changed or no

"I feel a plugin coming on that will randomise the ID reported this way."

Or a plug-in that simply throws up random Google search phrases and randomly clicks links while your computer is idle, thus making any data obtained stained with uselessness and buried in garbage...kind of like my last 4 or 5 "bright ideas".

That pushes some "useless" load onto another (innocent, at least in this instance) service though, so would be bad network etiquette. The load from just a couple of us would be as close to nothing as makes no difference, but if many people used such a plugin (and it would take many for it to have any effect on the overall results of the tracking) the load may become significant.

How do I use adblock to block KISSmetrics i.js and j.js (or t.js, or whatever) scripts hosted on the domain I'm browsing, and not other scripts that happen to be named the same thing? It's not a very unique name, and adblock is blocking by name only.

Also I don't see that text on their site (and google can't find it). They do have an "opt out" button, but it's implemented client-side using cookies, which isn't a particularly great solution either.

My superior solution uses both Adblock Plus lists and Hosts lists. Basicly it a script that pulls several Adblock Plus and Hosts lists, mangles them and converts them to a format that SquidGuard can eat. My firewall redirects all HTTP traffic SquidGuard which then redirects all hits to a PHP page that checks for the mimetype of the offensive link and returns a clean tiny of same mimetype to my browser. This way the site thinks I've downloaded the ad, but it is never shown nor do I have to wait any longer th

:^\ -- you read everything but the first part of my post, where I said I was summarizing the voluminous amount of data you posted into something succinct (possibly missed due to bad word choice on my part -- precise instead of succinct) (so that people could actually internalize it). I did, of course skip the more esoteric parts, as anyone who was interested in those would likely have read all your posts. I also attempted to abstract the statements so that they would apply to any modern OS, not just Windo

Yeah I use noscript and adblockplus. I did a search in my browser's cookies for km_ and I didn't find anything. So I don't think their tracking stuff is that "undodgeable".Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using. Even if yo

I don't think there is an equivalent for Google yet, but there are several options for blocking Facebook having anything to do with the sites you visit (other than facebook itself). Both adblock and script block have relevant options, for instance.

If you don't want to use adblock or scriptblock, or use a browser that they do not support so can't use them even if you want to, then there is this plugin: http://webgraph.com/resources/facebookblocker/ [webgraph.com] - there are versions for Firefox, Chrome, Opera and Safar

Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using.

That's what RequestPolicy [requestpolicy.com] is for. You can control what images/scripts/content from other domains gets loaded on a site-by-site basis in a way similar to Noscript. It's great in addition to Noscript (not as a replacement).

For example, when you load Slashdot with RequestPolicy turned on, you don't get any of the static content like images/css because that all seems to be stored on fsdn.com. You can easily select the RequestPolicy icon and tell it to allow requests from slashdot.org to fsdn.com. In a similar manner, you can let google.com load scripts and content from google.com while preventing other domains from doing so.

It's really the only way to prevent client-side tracking services that haven't yet hit the blacklists. It's more than the average user would be willing to do, but if you really want to stop tracking or you're just interesting in seeing which CDNs and how many off-domain resources sites use, it's worth checking out.

RequestPolicy works as you say, but how is the average user supposed to know whether to allow fsdn on Slashdot or not? Is fsdn safe or not? Who knows? Some sites have 50 domains that provide content and it is not possible to just disallow everything; the site will be nearly blank. It works, but is difficult to use in practice.

In the first request, the response header has ETag: "97a-494505e0c46c0"

In the second request, the request header has If-None-Match: "97a-494505e0c46c0" - this acts like a cookie.

If the "tracking" server receives a request with no If-None-Match: header, it replies with the file and sets the ETag to a unique value (exactly equivalent to the "cookie" value). If the server receives a request with the If-None-Match:, the value can be used to track the user... for example the server takes the If-None-Match: value, and returns back the image with the same etag value, and *also* set a cookie with that value in the response header!

You obviously didn't read the article. etags aren't javascript based, they're part of the browser caching mechanism. Even if you block the cookie creation script, which allows sites hosting the scripts to recreate the cookies, the actual tracking service is still tracking you.

Maybe you read a different article. The one I read had almost no technical information, but did have a link to KiSSMetric's explanation [kissmetrics.com], which states:

When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the person’s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).

Blocking the javascript files (or blocking cookies and the ETag header) would eliminate the tracking.

Pretty sure browsers clear them on cache-clearance too.If not, shame on browser makers. Every single thing a site is capable of saving should be capable of being deleted, regardless of how small it is.

I use the "Modify Headers" firefox add-on to filter the If-Match, If-None-Match, If-Modified-Since etc. headers, because they can all be used to store cookie-like bits of data. This has been known about for a while.

So, for me this is like a session-cookie, if it even gets loaded: I have my FF cache folder symlinked to a folder in my ram-backed/tmp/ folder(does provide a speed-increase). On shutdown it gets wiped, there goes all my eTags, js and other cached files.

javascript tries to hide what its doing in plain site. I disable js for most sites. its evil.

flash also exists MOSTLY to deliver ads. I have flash disabled and hard linked to/dev/null. no way any flash cookies are saved on my system.

if I need to view youtube (rarely) I use the cli util 'youtube-dl'. nice side effect: I get to KEEP a local copy of the video, should the 'job creators' (...) decided to pull the content back at some point in the future.

It has a look-but-don't-touch licence for the source code. Being able to look is better than nothing, but if no one can modify or fork it, then it's unlikely that anyone's reading the source code at all. I wouldn't trust my privacy to something with no community or third-party oversight.

Mod this up. Ghostery is the answer. They deterministically block 100s of trackers (by essentially refusing to load javascript/pages/what have you from their sites/of specific appearance etc).Blocks KISSmetrics just fine. Nothing to see here.

I've been using Ghostery for over a year.
I currently have nothing in my whitelist and have had to temporarily allow certain scripts maybe 6 times.
Ghostery is a solid tool and a mainstay in my suite of privacy addons along with:
Adblock Plus
NoScript
RefControl
BetterPrivacy
QuckJava
Torbutton (useful even when not using Tor).

There are always ways. It only depends on how much effort you want to put into it. You could use proxy servers to mask IP and change them frequently or even jump from one free wifi hotspot to another. You could repeatedly purge all your cache, cookies, history etc after every site you visit. You could use multiple computers. You could write scripts to send your browser clicking thousands of links and visiting thousands of pages to obscure the actual surfing behavior.

If worst comes to worst, you could travel across the country, nomadically roaming between random libraries, public internet terminals and wifi hotspots, each time using a different browser, operating system and site logins. Or you could just start using paper to get your information again.

There are always ways. It only depends on how much effort you want to put into it. You could use proxy servers to mask IP and change them frequently or even jump from one free wifi hotspot to another. You could repeatedly purge all your cache, cookies, history etc after every site you visit.

If you RTFA, you'll see that this service is using persistent storage on your computer that is NOT contained in your cache, cookies, or browser history. Even using a DIFFERENT BROWSER on the same computer (i.e. Firefox, then Chrome) this site can track you and link your sessions. I regard this a as a browser bug, and it needs to be fixed in the browser. We can't rely on legislation or promises of good behavior from website operators to fix this problem. It really needs to be fixed in the browser, or, i

yes, most porn on internet originally originated from paper publications. midget, animal, everything.in such, it's the internet that proved to everyone that yeah, sexual stuff does happen. you no longer needed to go to a city with a sleaze district to know.

anyways, if sites are dynamically created, it's easy enough to make every link ride POST information or a trailing argument in the url which can used for tracking a particular users link journey through the site. how it would be news I don't know though.

Taking a quick look at the JavaScript they use there doesn't appear to be anything particularly unusual going on such as browser fingerprinting [eff.org], or even as encompassing as evercookie [samy.pl] which can be easily defeated using built in browser options. The only thing that seems different about it is that it attempts to use more storage techniques than other tracking services, browser local storage , e-tag tracking, and ie userdata storage in addition to the common browser and flash cookies. To say that it "can't b

For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics.

Now, I'm no fan of tracking or advertising, but TFS/A sounds like scaremongering to me, I fail to see how this service is any more "unblockable" than other analytics providers such as Google. Moreover, since many people are signed into Google all the time for things like Gmail, I'd say Google has the capabi

If I'm understanding their site correctly, it's also blocked by NoScript (or, for that matter, just turning JavaScript off).

There are many sites that are useless without Javascript, but it's hardly surprising to me that allowing a general-purpose programming language to run on your browser creates privacy problems. Many of those sites don't really need Javascript, and I block as much JS as possible. I've walked away from sites rather than turn on JS; that's both my loss and theirs.

But most noscript users allow the "same domain" as the site they are visiting, so the page is usable (navigation, ajax, etc). If i.js and j.js are hosted on the same domain you are visiting (not 3rd party hosted) then noscript may not help you. Even those users that are super-strict about allowing scripts will often temporarily-allow a subdomain for the purpose of using the site. A few temp-allows between some major sites will thus lead to you being tracked across those sites.

KISSmetrics uses a variety of technologies to track people across the various browsers and computers they use. In doing so, we provide our customers a full view into how their customers interact with their websites.

Sites who use KISSmetrics may choose to provide us with personally identifiable information for their customers, or they may choose to use anonymized identities.

Sites have always had the option of using one of our server-side APIs, which do not set cookies or use any other means of identification. As of July 2011, sites may also choose to use only traditional cookie-based KISSmetrics tracking, which means that user information would be cleared whenever the consumer cleared their browser cookies.

For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics. Learn more about AdBlock Plus.The Technical Details

When a person visits a site that is using the KISSmetrics Javascript API, two javascripts are loaded:

t.js
i.js

t.js is the same for all people who visit a specific site (t.js is unique to each KISSmetrics customer).

i.js returns a unique âoeidentityâ for each person. This identity is just a random set of characters â" it does not contain an email address, name, IP address, or anything else that would be useful for identifying a person outside of KISSmetrics.

When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the personâ(TM)s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).

This means that if a person clears their browser cache or cookies, the random identity is likely to persist and that person will keep being âoeknownâ as a consistent random identity. If the random identity persists in one of these methods, we will reset the others so they all share that same random identity.

We do not use CSS or other versions of the technique known as history knocking.

The cached value for i.js is unique to a person, regardless of which site they are visiting. This means that to KISSmetrics, we know a single person by the same randomly-generated identity whether theyâ(TM)re visiting customer site A or customer site B. However, there is no way for our customers to access each others' data or know anything about a person's activities on other sites.

This is similar to credit card purchases â" Store A knows what you bought at Store A with your Visa. Store B knows what you bought at Store B with your Visa. Visa knows what you bought on Store A and Store B, but does not share that information between vendors. Just like Visa, KISSmetrics does not share any information about your interactions with Site A with Site B or with any third parties.The Privacy Details

KISSmetrics has never, and will never, share personally-identifiable customer information with any third party sites.

KISSmetrics has never, and will never, share anonymous customer activity of what people did on customer Aâ(TM)s site with customer B.

Person data is available to the KISSmetrics customer for the lifetime of their relationship with KISSmetrics. When a customer ends their relationship with KISSmetrics, they may request that their data be deleted within 30 days.

If you have questions, weâ(TM)re happy to answer them at privacy@kissmetrics.com."

In the case of the VISA card two companies could check with each other if any customers were using the same car too. But that is not enabled by the system other than being the source of the single identifier in the same way VISA is...

However the difference really is that the person has no idea said unique identifier is being assigned to them.

So there you go. NoScript->no KISSmetrics. "Can't be dodged"? Nonsense. For those who canot live without JS it should be trivial for a plugin to detect and delete their scripts. As usual the evil "tracking" requires the active cooperation of your browser.

This sort of thing is why the EU's half-witted privacy rules on cookies miss the point.

The thing to control is the tracking of users (particularly without their consent), and the storage and onward transmission/sale of user-information - not some particular technology that is being used to do that at any given stage in the evolution of the web.

Of course, if your legislative process is owned by the corporate world, or your voters believe in the rights of corporations, rather than citizens, that is unlikely to happen.

The main trick used was to persistently store data via Flash. The article did say that other persistent storage techniques were used (SQLite, localStorage, etc.. technologies iOS has as well) but one less, and a very commonly used technique, is rendered useless if you're on an iPhone or iPad.

That's what I thought this article would be about. It looks to me that the font list provides the most identifying information. Anyone know a way to tell your browser to not report your installed fonts?

Your browser fingerprint appears to be unique among the 1,684,880 tested so far.

Yeah right, that's what they whisper in your ear, telling you you are the only special one in the whole universe... until you find the web site has been seeing lots of other browsers, frequently, and without protection.

I was kind of hoping this was Google's doing - I was looking forward to the hilarity of watching Slashdotters' verbal and logical contortions while attempting to explain why it's actually a good thing...

The guy in charge says they are not doing anything illegal, so I feel a whole lot better. Sort of like when a bank says they're not doing anything illegal when they send you the 12th set of final mortgage papers and then tell you there's a mistake (for the 12th time) and you have to submit everything again and they've already charged you $80000 in fees... Nope, no problem there.

Since this uses specific js-tech/js-functions, is there a way to block specific js-functions ? e.g block calls to ajax by specific websites, cuz a website could easily mask as something useful but make calls to java functions that could be used for mischief.

As someone who writes "visibility software" let me just say, there is absolutely no way you will ever have privacy on the web. You can use TOR, or TOR like services, if you don't mind TOR servers being the ones that track you. You can use VPN's if you don't mind the people selling VPN connectivity tracking you. If your traffic is not encrypted or terminates at an untrusted site it is visible. Oh. And just so you know. Encrypted packets carry your mac address because there isn't changes to the headers

No. I'm one of those assholes that writes software with the explicit intention of allowing applications like snort to protect people. Unfortunately, it is also usable for other things. The mac address of the machine is encap'd in the header of the packet before decryption. When it is decrypted the mac information is still there. The outer headers of the packet (post encryption) do not have the mac address of the machine. The mac address of the last hop is what you will see in those headers. I suspect

This can be dodged by disabling javascript, like everyone already does, who cares about privacy.

I also appear to have dodged it by having their servers blocked in/etc/hosts. Not sure at which point I did that.

Blocking access to the KISSmetric site is only a temporary solution as it will do nothing to solve the underlying security problem which this site is exploiting. There's nothing to prevent other services from springing up which do much the same thing. This is a problem which must be solved in the browser.

I disabled jscript by default and only allow a few whitelisted sites to run em. Much easier on me and keeps FF running a bit faster because I don't have tons of shit in the about:config listing for noscript.